‹ All episodes

The Sustainability Podcast

The International Society of Automation's Cybersecurity Standards - An Interview with Andre Ristaino / Hosted by Larry O'Brien & Jim Frazer

November 18, 2019 The Smart Cities Team at ARC Advisory Group Season 1 Episode 9
The Sustainability Podcast
The International Society of Automation's Cybersecurity Standards - An Interview with Andre Ristaino / Hosted by Larry O'Brien & Jim Frazer
Info
The Sustainability Podcast
The International Society of Automation's Cybersecurity Standards - An Interview with Andre Ristaino / Hosted by Larry O'Brien & Jim Frazer
Nov 18, 2019 Season 1 Episode 9
The Smart Cities Team at ARC Advisory Group

A fascinating and deeply informative discussion on the ISA's cybersecurity standard 62443 and ISA's efforts in forming a global cybersecurity effort with guest Andre Ristaino, Managing Director, Automation Standards Compliance Institute and Director of ISAGCA

--------------------------------------------------------------------------

Would you like to be a guest on our growing podcast?

If you have an intriguing, thought provoking topic you'd like to discuss on our podcast, please contact our host Jim Frazer

View all the episodes here: https://thesustainabilitypodcast.buzzsprout.com

Share
Apple Podcasts Spotify Amazon Music Podcast Index Overcast iHeartRadio +
Show Notes Transcript

A fascinating and deeply informative discussion on the ISA's cybersecurity standard 62443 and ISA's efforts in forming a global cybersecurity effort with guest Andre Ristaino, Managing Director, Automation Standards Compliance Institute and Director of ISAGCA

--------------------------------------------------------------------------

Would you like to be a guest on our growing podcast?

If you have an intriguing, thought provoking topic you'd like to discuss on our podcast, please contact our host Jim Frazer

View all the episodes here: https://thesustainabilitypodcast.buzzsprout.com

Larry O'Brien:

Hi everybody, and welcome to the latest installment of the ARC smart cities podcast. I'm Larry O'Brien vice president of research at arc advisory group. And with me today are Jim Frazer. Good morning, Jim. Go ahead and introduce yourself briefly and then we'll introduce our guests today.

Jim Frazer:

Sure. I'm Jim Frazer. I'm the vice president of the smart cities practice here at Arc. And, we're very happy to have, Andre Ristaino with us today

Larry O'Brien:

Today we have with us, Mr. Andre Ristaino a managing director, at ISA, the International Society for Automation a nd a good morning, Andre.

Andre Ristaino:

Good morning. Thank you.

Larry O'Brien:

Andre we have some people on the line that are in smart cities, obviously, right? So there probably may not be familiar with ISA. So can you tell us a little bit about you and a little bit about the ISA.

Andre Ristaino:

ISA is a international society of automation. It's a professional engineering society and it has around 40,000 members. And, i t's lot in life is to support, continuing education an d s harpening the saw for its professional engineers. We do conferences, p u blications. We have a refe reed, jo u rnal in technology. It co me s out six times a year. Now. Many, many more publications that come out more frequently. And, ISA is also an ANSI accredited standards development organization. It's b een around since 1945 and it's p ubli shed more than 150 standards. Many of those standards are North American ANSI standards and typically they're submitted to the international electro technical commission IEC for internationalization. And so standards such as safety, wirele s s, and man y, many, many stand ards related to, business processes for, particular l y process industries. And most recent standard is ISA IEC 624443, which is a series of 15 standards addressing cybersecurity for, operational technology and where operational technology interfaces with what we recognize a s traditional IT. S o my specific role is, I was hired in 2007 to stand up a conformity assessment to do assessments and issue certificates of conformance for company operations or products to standards, m a ybe, de v elopment processes. and so, that' s what I'm doing. I have two of those stood up now. Recently we stood up an organization called the Global Cybersecurity Alliance and this was in response to that big challenge that we have on a global basis, in se c ur in g automation that affects their ev eryda y lives. So that's kind of the nickel tour about ISA and myself.

Larry O'Brien:

Yeah. And like I said, I think a lot of people might not be aware of ISA particularly if you're in the smart cities segment. I know a lot of people in building automation might be aware of it. but ISA 62443 really is a far reaching standard. And, like you said, it covers a lot of things from secure development processes from your vendors to, things like product certifications through ISA Secure and so forth. Can you give us a brief outline of what ISA 62443 is comprised of, because you said it's multiple standards- and I know a p a rt of the reason that GCA was formed, this Global Cybersecurity Alliance is that standards can be complex and I think the quote was standards aren't really written for the people that actually use th em. Right. so maybe we could just get a sort of plain English description of the domains the ISA 62443 covers and how that feeds into this Global Cybersecurity Alliance and trying to educate people about the importance of standards and, an d what standards really mean to them.

Andre Ristaino:

Sure, sure. I'd be happy to. So, I guess the starting off position is that the value in the standards is that they codify hundreds, if not thousands of years of subject matter expertise in a particular area. It's like going to college. You have textbooks and they have all these factual information, so you don't have to go out and in your life and bang your head against the wall and flatten it to gain the experience and get good at some particular area. So the standards, t e ll you what are the right things to do, what are the right policies to address, that kind of thing. And then, th e next step is for folks implementing the standards to ta ke the"what's" and turn it into the"how's" and the"when's" and that sort of thing. So the ISA 6 2443 standards were initiated in 2005. Organized in 15 documents. It's about 900 pages and they're organized into four broad areas. The first area establishes the context, the models, lexicons and the structure, the words, so that if you're sitting down and talking, cyber security, the same words mean the same thing to each of the people sitting around the table. I find that, o ne of the most difficult challenges in whe n I' m having discussions about cyb ersecurity is that, n o body starts a co n versation by saying, wh e re they are in the life cycl e of a system. And so that's one of the important things that these standards do. I haven't seen it with any others where it views, the automation and control systems from a lifecy cle persp ective. And there's three broad areas. In the front end, there's the product suppliers who, cons t ruct, compo n ents and, subsys t em s that are off the shelf, pieces t hat are then cobbled together into a site solution, typically by integrators or maybe by a major supplier, but they're turning it into a site solution. And then those, site solutions are deployed jointly with, the asset owner or facility owners and, h an ded of f for operations, maintenance, t h roughout its useful life, a n d then on to retirement. So when you talk about cybe r sec u rity, yo u gott a kno w where you are. If we're talking about putting security capabilities in the, off the shelf products, then tha t audience and stakeholder group is the product suppliers. If y ou're talking about, as s embling them into a site solu tion, it's typi cally the integrators and what their integration practices are and best practices, that sort of thing. And then if you're talking about, ope r ating a secu r e site or facility, then th e st a keh o lder is a c ombi n ation of the end user and the integrator who deployed this, syste m and then anybody else who's involved in day to day maintenance of this. So that's key. So, circling back to the structure of the standards. So there's the, the model, the lexicons then general terminology and there's another layer of the standards, t hat address, a l l the topics that are relevant to a facility owner or a ss et owner, establishing a security management plan, ma i ntaining your systems, patching, work i ng your working relationship with your service providers who are the int egr ators and maybe maintenance people and the like. Then the next layer of the st andards addresses security capabilities and requirements for a system and a syste m is typically an integrated application. Then th e ne xt layer of the st andards address securi ty capabilities for com pon ents that go into the systems. So that would be embedded devices, software applications, network devices like routers, et cete ra,

Larry O'Brien:

It really is a comprehensive standard. I think that's what's good about it. And i t i s a life cycle standard that addresses each aspect of the life cycle of a system. And that doesn't matter if it's a building automation system, right, or, even a smart lighting system or what have you. So I think that's what's unique about it. And also that, like you said, there, there's been a lot of work put into this. This is not a new standard this is many, many years of work that had been established by a lot of people who are leaders in their respective industries. So definitely something worth considering.

Andre Ristaino:

Yeah. so, and, and the standards, they come up for review and improvement, e very five years. So there are a couple of those, d o cuments that have been opened up and based on what's been learned in the last 10 years, th e re are s ome really excellent improvements to it, but a little bit more about their applicability. So, the In ter national Society of Automation is, ha s a large population of automation engineers in it. So if you look at the language in the standards, a lot of it seems, reflects the folks who were on the standards committee and you see a lot of process and ind ust ry language in there. However, the standards were deliberately written as a technology horizontal. And, so fo r that reason, they are appl ica ble to many different industry sectors, building automation. You could look, there' s there bei ng ap p lied to medical devices. I've had inquiries, in the automotive sector, t he ene rgy sector, te l ecom, electric generation distribution, et cetera. So there's a lot of different sectors. So you can se e t hat we've got these standards, you d on't want them to be shelfware. So, what a re the activities needed to take these wonderful documents and get them from the shelf to implementation where people can use them on Monday morning when they come to work. And so, tha t c r ies out for, educati o n, other ty p es of derivative work products, training, education tools, techniques, work metho d s to deploy these standards and also certification programs, conformity assessment our products being constructed and, and, offered to th e market that are conforming to th e standard. The conformance to the standards for products reduces the risk to a lower likelihood that you're going to have a, cyb er se c urity ev ent. and, th e n you go down, go all the way out to the asset owner, the facility operator. They are s tan dards that, if i mplemented properly, operations will b e mo re secure and addresses their security programs, matu r ity level of, their policies and procedures, procurem ent practic es, their m aintenance and update practices, et cetera. So, that's, that's, we've done some of that with the security compliance Institute and the ISA Secure program. We're certifying products. We're going to move that program into certifying the integrators and then the facilities themselves. But again, the enabler is the glue is bridging that gap between the published standard and implementation. And so that's what the Global Cybersecurity Alliance's mission is. So if you look at various, organizations within ISA, you have like Automation Federation that runs logic. That's that oil and gas and cyber security. They mainly do R&D related to control systems. Then that's fed back into different areas. I SA S ecure focuses on certification an d I SA, the, m ain, I S A organization publishes standards and manages the standards committees and, do e s training and education. And so the GCA, its objective is to s cale this up, do it o n a larger basis. So have mult iple companies contributing and address sector specific issues like, how to guides and usage guides for securely deploying technology and the building management or smart cities space. And, anot h er, series of documents were developed on medical devices, how to apply the ISA 62443 standards for securing medical devices. And you can just go on down the line.

Larry O'Brien:

Oh yeah. Other issues related native cybersecurity and medical devices. I said, that's so great. If you read the, the news and so forth, there's always new vulnerabilities being exposed. And the practice of the industry I don't think is up to par either. So there's a lot work that needs to be done, I think across the board, whether it's medical or building automation or facilities management or what have you. There's a lot of work that needs to be done.

Jim Frazer:

Andrea, this is, this is Jim. can you, y ou quickly covered a couple of different areas, this, the standard education and training and then certification. Can you just quickly go through what assets are available toda y and how does someone who's interested in a do m ain actually sour ce the m? So, where do you get the standard number one? And number two what a tr a ining and education materials or c ou rses are available today and which ones are fore casted for the future, as well as maybe a little bit more about the certification programs for devices and for integrators themselves.

Andre Ristaino:

Right, right. So generalized cybersecurity training, i s available from the Sans Institute. They do a great organization. They do a great job. They're more specific to the ISA 62443 standards, ISA, h as four or five, t r aining classes that address the standards specifically. And they also issue certificates to personnel who, ta k e the classes and pass the test at the end. It's not a certification like a professional designation. Its a certificate program that says you've taken the c las s and y ou understand that body of knowledge you just took., You can go to th e isa.org website where there's a lot of free mater ial. You can download their trai ning classes. There's books and materials also. ISA has a big publication, oper a tion as well. And, so that's the source for that. I think what's go ing t o h appen is these certificate programs ar e g o ing t o e volve into certifications. One of the things that I'm asked frequently is, s o we have a product certification scheme. ISA Secure and, p r oduct suppliers go, OK, th at's great. Do you have a class that, tel l s us how to use the standards for securing products? And we didn't have that.

Larry O'Brien:

This is a class that vendors can take to make sure that their products can be certified. Right,

Andre Ristaino:

Right.

Larry O'Brien:

Can you tell us about ISA Secure certification? for those that might not know because, I tell you, I see a lot of products out there in the world of smart cities, but there is, there aren't a lot of products that have any kind of indication that they've been quote unquote cybersecurity tested. Right. There's very little mention of that out there in the world of smart ci ties. So maybe you could tell us a little bit about this product certification program and what that means and why that means th at p roducts are secure.

Andre Ristaino:

Yeah, so in the building industry, most people are familiar with UL standards and UL has traditionally addressed safety issues, like, capacities for, transmitting electricity without things getting hot and catching on fire and other sorts of things like that. So they have a big footprint there. And the industry in general and technology is always focused on, and this is all industries- functionality. I want a product to do new things. Nobody ask s th ese suppliers about cyb ersecurity. A nd so it's just recently that this is bu bbled up and, a nd eve rybody's sc rambling. What's the right thing to do- cybersecurity's always been viewed as kind of like this black art the guy with the hoodie and, and secret sauce. And, so w hat the standa rd and o ur ce rti fication scheme are at tem pting to do is elevating cybers ecurity from a black art to an engineering discipline. And so the ISA 62443 standards, we use the 4-1, which is a development process, a standard, it looks at a development life, product development li fe c y cle a nd, and addresses, e ight practice areas to ensure that they're being used by suppliers, f o r secu ring pro ducts. If the suppliers are doing that, ther e is a p retty good probability, th a t their products are going to be more secur e. The y' re neve r 100%, but, it t akes you in the right direction and, it's st anda rds based. So, there' s a level playing field. so there's the 4-1 s tan dard. There's a 4-2 standard, which a ddresses security capabilities like two factor log-ons, just fu nctional security capabilities. And so this ISA Secure certification is an assessment of products and ensures that(a) it's under configuration control. It's addressing the 4-1 security development lifecycle requirem ents and B, that it assesses and confirms the security capabilities. There are four levels of security, one through four, four being, t his sophistication level of a nation-state level, one being just inadvertent things like self inflicted wounds putting a contaminated USB stick in a device, that kind of thing. And then the other, the other dimension is the actual product testing. Most of the time when you talk about certifying a product, people have this vision of testing like what UL does t urning up the heat until something burns or breaks. Right? And so, so the testing is, tells you something, b ut it's just a point in time like crash testing and it' s fi rst specific model and ve rsion and that sort of thing. So, b u t yeah, those are three dimensions. The ass essment of the product security capabilities, the actual testing, and then, co n firming that the p rod uct was developed under a sec u re development life cycl e. So, yeah, so that's it.

Jim Frazer:

Andre you mentioned eight parameters or functional evaluation areas. Are those the three of the eight?

Andre Ristaino:

So if you looking at the security development lifecycle and I, don't have all eight of the practice areas for the security development lifecycle memorized, but it addresses, the area of a s e cure architecture for a p r oduct. So, w e would expect to see that as a products developed. There's a security architecture evaluation review and design, so secure by design and then secure development and sec ure coding practices which is way down in the details. And then there's testing. And so there we expect to see, I t h ink it's six categories of testing like communication, robustness testing, stat i c or binary code analysis, storm broadcast storms, flood t esting for like denial of service. And there's some other categories of testing. And then probably most important, and you don't see this with other standards, is incident response plans, communic a tion plans, patch management plans, and so th o se are many of the dimensions of the practice areas that the auditors wil l expect to see. And they look for artifacts at these companies to ensure that, if they've decla red tha t they had, they're confo rming t o these practice areas, they'll go down and look at the testing artifacts and other artifacts to confirm that they're actually following them.

Larry O'Brien:

That's pretty comprehensive.

Andre Ristaino:

Yeah. So they defined software or products t o characteristics so that you can do updates to a product which might be a patching of a bug, bug fixes. And then there's upgrades, which is typically something like a major release with new functionality. And so the way our program is set up is that it's assumed and c onfirmed that the products are under configuration control and that they have a patch management patch release and notification process. So, the end users said, yeah, we've b een living with this for a long time. so if we're getting updates and patches, we can manage that. And so there's no requirement for recertification as those patches come out. But if there's a major upgrade, that means there's new functionality, wel l, t hat's a different attack surface. So, w e have this maintenance certification policy that says if there's an upgrade, you have to do a reassessment of the product. It may be a partial, but not the whole thing. But if they're pat ches and updates, you don't have to do a reassessment. And so that makes it economically efficient for the supplier, so that they can kind of parse what, add i tional work they have to do to keep their certification.

Larry O'Brien:

So for our end users out there in the smart cities and building automation community, has ISA Secure started to certify products in that sector as well. and, and what's out there and wh at's g oing on as far as that.

Andre Ristaino:

So, so we have pretty good, recognition in, w here we started in a t r aditional process, industry, oil and gas, chemicals, et cetera. And in 2016, we did a study with companies that sell and support building management products. Johnson controls, Sie m ens, Schn e ider Electric, Honeywell. There w ere s o me o thers and we included some end users in the study. And our objective was we're just very conservative about saying our program ISA Secure works for anything without having, subje c t matter experts in that industry, do the reviews and confirm it. And that's what we did. And so as a result of that, there was a big pickup in inter es t from the building management supplier s space. And, we add e d, in addi t ion to Honeywell, Honeywell Process systems were members and supporters and they're having product certified Schneider electric, same thing. But both of those organizations have other divisions with the building management systems. And so what they ended up doing was taking what they learned from their process industry certification programs, and they had to implement their own internal, security development, l ife c ycle processes. And get those a udited. But what they did was they took what they learned in t here and they transferred it like a with Honeywell to their, building technology group. And, t hey did it for pennies on the dollar. A lot of the same technology that's used in a process industries- embedded devices, some software, o t her types of products go into building control products. A co n trol system is a control system. And in the end, mayb e the application interface might be slightly different, but it's the same. So that's why I emphasize that the standards are designed as a technology, horizontal and applicable to a lot of sectors. So they started, they had it there. Johnson controls did an evaluation of standards and certifications. It's a vailable for their products be cause t hey're not small, they're 30 billion a year, all building controls, services, whatever products. And, t hey do all the building systems for the Pentagon for instance. And so, and they do a lot of work, w i th the DOD and federal government as do the other ones. And so they have the DOD and federal government requirements as well. And so they are see king a way to secure their systems stan dards-based tha t are applicable to the private sector and to t he DOD and federal federal government in the USA. And these guys sell prod ucts glo bally too. So y ou're looking at the EU and Japan, et c et e ra. So that's another whole conversation.

Jim Frazer:

Andre, it's interesting that it's interesting that the standard really is application agnostic because, in our smart city domain we tend to think of of a smart ci ty i s h aving nine verticals. And I'll just list these because I think, t he standard applies to every single one that, so one is buildings and building automation, energy infrastructure, telecommunications and backhaul infrastructure, transportation and mobility, health and human services and all, al l that, me d ical equipment, water and wastewater, infrastructure, waste management, public safety, police body cams and all of that. And payments and finance. I could see where the s tan dard touches all nine of those major smart city verticals.

Andre Ristaino:

Pretty close. Yeah. The one area that we always beg off on is like a financial sector. They kind of got into the cyber security game early on and have a lot of things that, that do well, but there are some dimensions of where this could be applicable, but for sure you look at buildings, energy, telecom, transportation, h o spitals, medical devices, wa t er and wastewater- at least half of those are o ur s wee t spot for ISA. So we've gotten interest from, lig h ting manufacturers like Philips and there's a organization called, Desi g n Lighting Corporation that does functional testing for, energ y efficiency. But a lot of these organizations that service these sectors that you're describing had functional specifications that they do certifications too, but the y were missing the cybersecu rity piece. This is all new and everybody's scrambling. And so it's, it's a great, that ISA 62443 can work for most of them. They don't need to reinvent it. they can include a reference to ISA 62443, and getting ISA 62443 certified as part of their product certification. So, yeah, t his is good. Our biggest issue is, j u st going to market and letting people know that this exists so they don't go out and try to rewrite it on thei r own. Yeah. Yeah. I don't think that would be effort. Well spent trying to rewrite a standard, th a t basi cally already existed is ve ry comprehensive.

Jim Frazer:

At ARC as well as myself personally are very active with the, Illuminating Engineering Society as we all know that, lights are becoming nodes on the IOT network in b uildings outside of buildings and everywhere. and certainly there's a great need there for cybe rsecurity. Th ey're woefully lacking in that regard.

Andre Ristaino:

Yup. I can see applications there. Yeah. And there's no bad guys there. It's just that a nobody to ask for it or there wasn't a perceived need for it years ago. And so it takes five or 10 years to turn the underlying technology around in a product category. So, but yeah, there's a lot of companies they're doing a lot with the lights and light fixtures Sylvania Osram go down the list. I've talked to a lot of these companies. My biggest challenge personally was working predominantly with ISA Secure and our budgets were oriented towards building certification schemes and, e n hancing those. We had a small budget for marketing and so we were getting constant calls from our members to address other things like legislation. And so I've been up to DC and prese nted to F ERC and been in Eu ro pe I did a joint study with the EU for certification scheme there. And the supplier's big concern is they want to do the right things, but they want to do it standardized and if they have a certification, they want that certificate of conformance to be recognized in the EU and the US, with the US DOD, the feds and Japan, et cetera. So that's another one for the global cyber security Alliance. We're not a lobbying organization, but what we want to do is be an active participant and ombudsman and who try to stitch stitch these groups together to, keep them, to harmonize these requirements and certification schemes.

Jim Frazer:

Andre, can you, I don't know if we went in and up depth on the Global Cybersecurity Alliance. How was it founded? How many members are there? how does, how does one get involved?

Andre Ristaino:

So, I would say probably for about the last three years, m e mbers of the security compliance Institute, po k ed at me and said, Hey, the r e were a lot of things that ISA should be doing. And, you c o uld do more. You're the perfect place. You're an independent, not for profit. you don't have an ax to grind, so you could be th e pla ce to organize. And so, why don't you guys go do this thing? And I was thinking myopically about ISA Secure. I'm like, well, we don't have much of a budget. You guys are billion dollar companies we need you all to help do this. So finally there was some discussion and one of the suppliers pushed hard and said, look, let's, let's start a new Alliance then and, and put big ger money into it. And so, that was discussed. And then internally at ISA, we, we looked at it and I became involved because I'm running the consortia and we st ood, okay, we think we ca n s tand this up. And, t he timing is good for it and th ere's an appetite. So, w e put together a structure and the usual PowerPoints and talk ed to a number of suppliers and everybody was really positive as so w e said, okay, we're gonna run with this. And, so a few weeks later we made an announcement. There were a number of suppliers who were early thought leaders that, thou g ht it was a good idea. And so we worked with them and, they h elped s hape w hat this thing looks like. And, so the early adopters, if you will, are Honey wel l, Johnson Controls, Rockwell Automation, Schneider Electric, major s u ppliers, and then a couple of cybersecurity technology suppliers. And, so that wa s the kickoff. And so we announced it and, we're activ e ly recruitingL and we're having continued success periodically. Maybe once a month we'll announce new members, but it's a who's who.

Larry O'Brien:

The membership has not been restricted to just vendors, right? Andre?

Andre Ristaino:

No so we recognized early that, having a balanced representation of stakeholder groups was important. So, w e talked to the suppliers first. and we're talk ing to end users now. Obviously I'm gonna go ba ck and talk. I've already presented this to some of the big oil companies that are our IS A S ecure members and there's genuine interest and jus t to demonstrate how much interest there is. So for instance, our board members with a ISA sec u re paying$5 0,000 a year as a board level member and a Global C ybersecurity Alliance, the top level founding members, they're goi ng to c ommit to$500,000 over a three year period. So like 250,000 the first year in 125,000 ea c h year thereafter for forever, for as long as we exist. And a lot of them are paying both. And, at first I wassurprised. Then I stepped back and looked at it. I said, well people don't just spend money like that. If they don't think they're getting value. So, the fact that companies are signing up for both of t hese things, t hat's a validation that there's some value in this and that they feel good about the money spent. And so, t o become a member or a ny body can become a member. We're mainly looking for companies. We're not looking for individual members like ISA, that's an individual member ship socie ty. And so, we'r e looking for companies who can provide funding and resources obviously, and, we're going to continue to recruit. So the big stakehold er groups t hat we look f or is, the sup p liers and users and asset own ers facility owners, and, tec h nolog y providers in cybersecurity. And then the mainstream, IT providers cause they're part of this whole puzzle too. So you look at the IBM's, the, Microsoft's, the Google's. If You go to a process industry, you don't see a control system that's not using either a Linux or a Microsoft workstation.Right. And so the Ciscos and networking component providers. So everybody that's in the value chain, whether you're a supplier or an integrator, that's the other group, the integrators,. The consultants, cities that are doing, consulting and assessments and that sort of thing. And, t he other group that we're e xtremely interested in aus are insurance companies, th ey've b een struggling to find objective underwriting standards, f or a number of years now. I mean, four, three, four years ago I was part of a DHS committee, CIDAWG. Yeah. They h ave a good acronyms. And so they were trying to cobble together a big giant database that they could query to, do some analytics on, i nsurance underwriting, like, peo p le, process and technology, which is most important, et cete ra. And s o I parti c ipated for a while, but, I als o have an it background in IT, I asked them specific questions, are you trying to answer? Because if you don't know what they are, you can put a database together that can't be queried to answer the questions that you want. And they didn't really know. So I kinda ju st fa ded out of it cause I didn' t see that their approach was broken and their hearts were in the right place, but the approach wasn't. And so, but that's a problem that we want to solve. But if you have standards, if you can certify it to a standard, then that means you can measure and y ou s tart out with maybe some imperfect measures, but this whole t hing's g oing t o take the same trajectory as, the safety world. when safety standards first came out, people wer e li ke, Oh, no, safety is squishy. You can't codify it. You can't measure it. Well today there's mathematical formulas. Righ t. Ri ght. And, so we are t ryi ng to move this whole cyber security thin g from black art i nto an engineering discipline.

Larry O'Brien:

Yeah. Something that's measurable and improved.

Jim Frazer:

Andre, I'm, I'm impressed that, that it's not just a vendor driven initiative that you do have your balanced stakeholder communities.

Andre Ristaino:

We have a lot of people who have their fingers in the pie and, push this thing along and there's, it's not me. there were a l ot of really, really good people that are, ro l ling up their sleeves and, mak i ng some things happen. So that's good to hear. Yeah. So, Andre, if I'm an end user owner operator, where do I go? what are some of the resources? How do I get started? maybe give us a brief list of places we can go to find out more on GC A, a G C A on ISA secure, a n d just ISA. If anybody wants to know what's available, they can ease. They just send me an email. and I'll personally take care of, d i rect them on to the resources depending on what their immediate question is. There's always an immediate question, then there's the rest of it, right. And so I'll try to answer the immediate question and then give a briefing on what else is available. ISA offers training and education and books. So if you go to isa.org you can see what resourcesare available off that website. And that also has links to the ISA Secure.org website. If you have companies that a re o nly interested in certification ISA secure.org, a company's interested in the GCA, they can contact me directly and I'll send them the prospectus and the membership application and we will set up a teleconference to brief th e m and their te ams on what we're doing and how they can participate.'Cause there's something for everybody in the GCA. It can be te chnical, you can do white papers participate in and governm ent and regulatory dimension of it, which I think is extremely important. There's still so many ways to particpate, okay. How would we get in touch with you, Audre? You said we could get in touch with you and that, feel free to share all my contact information, my email address: aristaino@isa.org. My office phone number is area code(919) 990-9222 and I'm happy to share my mobile nber. It's(919) 323-7660. Okay. So hopefully you get a ton of phone calls after this podcast. I really think this i s this been a great interview. We really want to try and raise awareness of what ISA is doing especially through the GCA and a lot of the resources that you already have out there as far as certification and training and everything else. We're kind a get ting near the end. Is there anything else we w an t to cover here before we sort of wrap things up? Wee're doing a lot of stuff. A new project is, I'm working with the National Electrical Manufacturers Association, NEMA, and, we w ere prompted by the US Department of Defense to stand up, an i n dustry led certification scheme for fa cilities. And that would be commercial office buildings. it can be m ili tary bases, fuel depots go down the list, right. This is not D OD sponsored. It's DOD inspired. They published a set of what they called unified facility controls, which is their cybersec urity standar ds. And it's used by the DOD and federal office buildings. And, so all the federal properties need to comply with it. Well, they did the math. The feds, the U S government DOD owns$1 trillion of real estate, more than 500,000 buildings. And I don't know how many millions and millions of square feet of space. And they said, okay, all that needs to be secured. We've got our rules, but we didn't get funded for an audit function. They have no way to audit. So it's like IRS rules without the IRS to enforce it, right? So they said, well, what do we do? And so they wanted something industry led and the industry wants it. I've been at multiple meetings and all the suppliers are saying, line up this certification scheme for facilities, for building management systems a t these facilities was ISA 62443- We spent 10 years investing in them and they're good. Let's go with that. And so we're working on that. All the suppliers are on board and we're putting together a presentation for commercial and corporate real estate owners like CB Richard Ellis, Wells Fargo, B oston properties go down the list. And so we're gonna tee upthat group and we're going to present it and, see what their level of interest is. And, if the y're, i f they say, yeah, this makes sense, then we're going to stand this up like the LEED program. And so it'll be industry led and if it's successful and the industry gets on board with it, o v er time, if you fast forward 10 years from now, likely it'll end up being a refe rence cer tification- similar to LEED program certifications now that you have County and municipalities putting LEED requi red requ irements, which is a private certification into their regular, into their procurement specs. Right. And so that's where this could land. That's, that's where they would like to see Atlanta. And then the federal government and the DOD would say, look, just go with this ISA 62443 building management system, certification scheme. And so that's, that's new. That sounds real. Nee dless to say, I'm busier and busier in a one armed paper hanger with poison Ivy.

Larry O'Brien:

Well, Hey, we'd love to have you back to talk about that in more detail, as you progress, maybe we'll have you and NEMA come on. Tell us about what you guys are doing.

Andre Ristaino:

Great. Yeah. Yeah, we're our next meeting on the next six weeks or so. So, in the next 60 days, we'll probably have more, c oncrete, d i rection on that.

Larry O'Brien:

Sounds good. Great. Well, well, Andre, thank you very much for your time. This has been very instructive and enlightening and, we're very happy to h ad y ou. Thanks. Y eah, thanks very much, A ndre. Thank you.[ inaudible]

Intro Music:

[